wshrat | bf9732fc595f9164e52870fc95a4673fb5fddd7748003c392aeb8f8776eea077

General

Target

Quotation Items.js
Size

924KB
MD5

22e021e97b1606d6abdfaf275e3b5e17
SHA1

4980e4db080a52d5c456c7bb4bc1190eb8bb3a0e
SHA256

bf9732fc595f9164e52870fc95a4673fb5fddd7748003c392aeb8f8776eea077
SHA512

344ceb6b6bc565e88fb3e6ed929af77713d8a77150b3b3abf070ec36d178e997223f00f1eaf64805b0c944d607d167b0792947d41e56341db6406ddd2e009725
SSDEEP

6144:QQvbVQ7mFqpB5KRolwBSA5ey+vONQ6n8G/6TMXoFLNY+bQHtAtLvNYY1mXIcJIQY:Tw

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 14 IoCs

flow	pid	Process
4	1716	wscript.exe
7	1716	wscript.exe
8	1716	wscript.exe
10	1716	wscript.exe
11	1716	wscript.exe
12	1716	wscript.exe
14	1716	wscript.exe
15	1716	wscript.exe
16	1716	wscript.exe
18	1716	wscript.exe
19	1716	wscript.exe
20	1716	wscript.exe
22	1716	wscript.exe
23	1716	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quotation Items.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quotation Items.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 13 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	8	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	12	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	20	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	23	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	18	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	19	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	22	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	10	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	11	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	14	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	15	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown
HTTP User-Agent header	16	WSHRAT\|9CA37D4D\|YBHADZIG\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/4/2023\|JavaScript-v3.4\|01:Unknown

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1716	1060	wscript.exe	28
PID 1060 wrote to memory of 1716	1060	wscript.exe	28
PID 1060 wrote to memory of 1716	1060	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Quotation Items.js"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Quotation Items.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quotation Items.js

Filesize
924KB

MD5
22e021e97b1606d6abdfaf275e3b5e17

SHA1
4980e4db080a52d5c456c7bb4bc1190eb8bb3a0e

SHA256
bf9732fc595f9164e52870fc95a4673fb5fddd7748003c392aeb8f8776eea077

SHA512
344ceb6b6bc565e88fb3e6ed929af77713d8a77150b3b3abf070ec36d178e997223f00f1eaf64805b0c944d607d167b0792947d41e56341db6406ddd2e009725

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quotation Items.js

Filesize
924KB

MD5
22e021e97b1606d6abdfaf275e3b5e17

SHA1
4980e4db080a52d5c456c7bb4bc1190eb8bb3a0e

SHA256
bf9732fc595f9164e52870fc95a4673fb5fddd7748003c392aeb8f8776eea077

SHA512
344ceb6b6bc565e88fb3e6ed929af77713d8a77150b3b3abf070ec36d178e997223f00f1eaf64805b0c944d607d167b0792947d41e56341db6406ddd2e009725

Download Submit
C:\Users\Admin\AppData\Roaming\Quotation Items.js

Filesize
924KB

MD5
22e021e97b1606d6abdfaf275e3b5e17

SHA1
4980e4db080a52d5c456c7bb4bc1190eb8bb3a0e

SHA256
bf9732fc595f9164e52870fc95a4673fb5fddd7748003c392aeb8f8776eea077

SHA512
344ceb6b6bc565e88fb3e6ed929af77713d8a77150b3b3abf070ec36d178e997223f00f1eaf64805b0c944d607d167b0792947d41e56341db6406ddd2e009725

Download Submit

Analysis

Sharing